Hi Peter, On 11/09/2010 04:15 AM, From Peter Saint-Andre:
Do you think that those justifications are not compelling? On the client side we've moved from SHOULD NOT to MAY, and I would be open to saying that wildcards are truly optional on the CA side as well, if we think that (1) they are valuable and (2) they do not have undesirable security properties.
I apologize for the huge delay as I'm fighting a flu and a huge backlog. I believe the wording is still a bit strong since "SHOULD NOT" means you really should *not* except in very specific circumstances exceptionally.
My opinion is, that with good constraints in place (that is contractual, proper validations of the applicant etc.) wild cards should be legitimate in every respect and there are many good examples for those (remember XMPP?). From the CA perspective, the CA really MUST have controls in place to prevent misuse, however if the CA will issue certificates for paypal.domain.com the argument against wild cards is obviously moot.
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: [email protected] <xmpp:[email protected]>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
